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Abstract 

We consider the decoding problem or the problem of finding low weight 
codewords for rank metric codes. We show how additional information 
about the codeword we want to find under the form of certain linear 
combinations of the entries of the codeword leads to algorithms with a 
better complexity. This is then used together with a folding technique for 
attacking a McEliece scheme based on LRPC codes. It leads to a feasible 
attack on one of the parameters suggested in [11]. 


1 Introduction 

McEliece schemes. The hardness of the problem of decoding a linear code 
makes its use very attractive in the cryptographic setting. Indeed it has been 
proven to be NP-complete for the Hamming metric in the seminal paper of 
Berlekamp, McEliece and van Tilborg [2]. Moreover, despite some significant 
research efforts, only exponential algorithms are known for it and the exponent 
has decreased only very slowly over time [1]. One of the very first public-key 
cryptosystem [19] is actually (partly) based on this problem. It still belongs to 
the very few public key cryptosystems which remain unbroken today. 

One of the drawbacks of this scheme is its large public key size. It relies on 
a particular code family, namely Goppa codes, which in many respects look like 
random linear codes but still have an efficient decoding algorithm. Since then, 
many approaches have been tried to reduce the key size: (i) alternative code 
families have been proposed, (ii) using codes with a large automorphism group 
such as quasi-cyclic codes, (iii) changing the metric used for the code and the 
code itself. 

McEliece schemes based on rank metric codes. In this paper we focus on a 
proposal which is a mixture of the approaches (ii) and (iii): the LRPC scheme 
of [11]. It relies on a new family of codes, called Low Rank Parity Check 
(LRPC in short) codes which are devised for the rank metric. The first McEliece 
scheme based on rank metric codes was the Gabidulin-Paramonov-Tretjakov 
cryptosystem [9]. It relies on an analogue of Reed-Solomon codes for the rank 
metric, the “Gabidulin codes”. The scheme got broken by Overbeck in [22]. One 
of the main reasons for its insecurity can be traced back to its rich algebraic 
structure. This is not the case for the LRPC scheme. For this family of codes, 
like for the MDPC codes based McEliece scheme of [20], it seems that key 
security and message security really rely on the same problem, namely finding 
a low rank weight (or moderate Hamming weight for [20]) codeword in a linear 
code with no structure. 

Decoding for the rank metric. It is essential with this approach to have 
a good assessment of the complexity of solving the decoding problem in the 
rank metric. Recall that in Delsarte’s language [5], linear rank metric codes are 
viewed as the subspace generated by a set of matrices of a same size over some 
finite field F^. 

The associated decoding problem is also known under the name "MinRank" 
and is known to be NP-complete [3]. Generally such codes arise in the form of 
linear codes defined over some extension field F^m. 

This problem has attracted some attention in the cryptographic community 
and algorithms of exponential complexity have been devised for it [4, 21, 12, 14, 
6 ]. 
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Attacks on quasi-cyclic codes by folding the code. The parameters of the 
LRPC scheme have been devised in order to be safe against the aforementioned 
algorithms for decoding in the rank metric. However, the authors of the scheme 
have also used quasi-cyclic versions of such codes in order to reduce further the 
size of the parameters. It has been found out recently [7, 8] that McEliece ver¬ 
sions based on quasi-cylic or quasi-monoidic codes can be attacked by reducing 
the size of the code by adding coordinates which belong to the same orbit of 
the automorphism group. This is called the “folding” process in these papers. 
When this process is applied to quasi-cyclic or quasi-dyadic alternant or Goppa 
codes suggested in the cryptographic community, this results in a much smaller 
alternant or Goppa code and this can be used to mount a key recovery attack. 
This approach was further investigated and the folding process was generalized 
by using a polynomial formalism in [17]. It was shown there that this approach 
can be used for the quasi-cyclic LRPG codes of [11] and gives a LRPG code of 
much smaller size but which still has in its dual low weight codewords. The 
decoding algorithm of [12] can then be used to find these low weight codewords 
in a more efficient way than for the original code. This results in a multiplica¬ 
tive gain in the complexity of the attack of order 2^^ for one of the parameters 
proposed in [11[. 

Our contribution. Our contribution in the paper is threefold. First we show 
how certain rank decoding algorithms of [21, 12] may benefit from some partial 
knowledge on the codeword which is sought. We consider here that we are given 
certain linear combinations of the entries of the codeword. This generalizes the 
Fgm linear case where a certain entry can be assumed to be equal to 1. Roughly 
speaking, when we search in the latter case for a rank weight w codeword using 
the algorithm of [21, 12] we have algorithms of complexity where ot 

is some quantity that depends on the algorithm which is considered and some 
code parameters. We show how the complexity of these algorithms can be 
reduced to when we know a independent linear combinations of the code 

positions. We also obtain by the approach of [12] applied to the transposed code 
an algorithm with the same complexity as [21] but which is significantly simpler. 
Finally, we show that when the folding process is applied to the quasi-cyclic 
linear codes considered in [11] we know two independent linear combinations of 
the codeword we are looking for, instead of just one. This is then used together 
with the generalized folding process of [17] to give a much more efficient attack 
than in [17]. 

2 Generalities about rank metric codes 

Let us start with the definition of a matrix code 

Definition 2.1 (Matrix code). A matrix code of size mxn overWq is a linear 
code generated by matrices of size mxn over Fg. When the code is of dimension 
K we say that it is an [m x n,K] matrix code over F^. 

Remark 2.2. It will be convenient to express K under the form K = k.m. 
Notice that k is not necessarily an integer. 

It might be thought that this is nothing but a linear code of length m.n. 
The point of this definition is that we equip such codes with the rank metric 
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that is defined by d{A, B) = Rank(A — B). The weight |c| of a word c is taken 

def 

with respect to the rank, that is |c| = d(c, 0) = Rank(c). Generally such codes 
are obtained from F^m linear codes as follows 

Definition 2.3 (Matrix code associated to an F^m linear code). Let C be an 
[n, fc] linear code over F^m and let {jdi.. ./3m) be a basis o/F^m over Fg. Each 
word c € C can be represented by an m x n matrix M{c) = (My )i<i<m over 

l<_7<n 

Fg, with Cj = {-^(c), c € C} is the matrix code associated 

to the Fgm linear code C. It is of type [m x n, k.m\. 

This definition depends of course of the basis chosen for Fgm. However 
changing the basis does not change the distance between codewords. The point 
of defining matrix codes in this way is that they have a more compact descrip¬ 
tion. It is readily seen that an [m x n, k.m] matrix code can be specified from 
a systematic generator matrix by k{n — k)mf log 2 q bits whereas a Fgm-linear 
code uses only k[n — fc) log 2 g'” = k[n — fc)mlog 2 g bits. This is particularly 
interesting for cryptographic applications where this notion is directly related 
to the public key size. We can now define the two central problem in this field, 
namely 

Problem 2.1 (Decoding in the rank metric). For a given matrix code C of type 
[m X n, K] over Fg, a matrix A in F™^" and an integer w, find a codeword c 
in C such that Rank(A — c) = w. 

Problem 2.2 (Low rank codeword problem). For a given matrix code C and 
an integer w, find a codeword c of rank weight w in C. 

The decoding problem reduces to the low rank codeword problem by finding 
a codeword of weight w in the matrix code C where C' is generated by the 
codewords of C and A when C does not contain codewords of rank weight w. 
In other words, decoding an error of weight w in an [m x n, iL] matrix code 
reduces to the problem of finding a codeword of weight w in an [m x n, K + 1] 
matrix code. Notice that the low rank codeword problem is slightly simpler for 
matrix codes obtained from Fgm linear codes. Indeed, we may assnme that the 
codeword c of weight w contains a coordinate equal to 1. This follows from the 
fact that multiplying c by any nonzero element of Fgm does not change the rank 
of the associated matrix. In other words, we have some additional knowledge 
about the codeword (or the error) of weight w in this case. Notice that the 
support trapping decoding algorithm (see next section) of [12] and the decoding 
algorithm of [21] given for Fgm both exploit this knowledge. They have an 
asymptotic exponential complexity of the form whereas it would have 

been only for an unstructured matrix code with the same parameters. 


3 A support trapping decoding algorithm 

[12] has introduced a very neat and simple algorithm for decoding in the rank 
metric. It can be considered as a support trapping decoding algorithm for an 
[m X n, k.m] matrix code that tries to guess a subspace F of the column space 
F™ oi m X n matrices over Fg that contains the column space E of the error e 
we want to find. Since we focus on the low-weight finding problem in this article 
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we will explain this algorithm in the case we look for a codeword of weight w 
in an [m x n, K] code. In this case, E is the column space of c. The next 
step is then to express the columns q of c in a basis of F, that is 

Ci = This gives n.r unknowns (the Xij’s). From a parity-check 

matrix of the matrix code we deduce n.m — k.m = {n — k)m equations involving 
the entries of c that can all be expressed in terms of the cc^’s. In other words, 
we have a linear system with [n — k)m equations and n.r unknowns. We choose 
r to be the least integer such that the number of unknowns is less than the 
number of equations. In our case, r = m — \. 

The complexity of the algorithm depends on the probability of having E C F. 
It is equal to the number of subspaces of dimension w in a subspace of dimension 
r, divided by the number of all subspaces of dimension w in F™. This probability 
can be easily expressed with Gaussian coefficients, which counts the number of 
subspaces of a vector-space : 


r 


w 

Q 

m 


w 

q 


0 


( 1 ) 


We use here the following notation. 


Notation 3.1. 


is the Gaussian binomial coejficient that is equal to the 


number of subspaces o/F™ of dimension w. Recall that this coefficient satisfies 


m 
w 

L Jq 


= 0 . 


The cost to solve a linear system of (n — k)m unknown by Gaussian elimina¬ 
tion is Oiffin — kYm?^. Thus, the overall expected complexity for this algorithm 
is 0{^{n — . 

As explained in [12] F can be viewed as the support of a codeword for the 
rank metric. What makes this notion interesting is that it establishes a parallel 
with the Hamming metric : indeed, if we know the support c of a codeword c 
we can recover c in polynomial time by solving a linear system. 

This algorithm is much more efficient than the algorithm in [21] when m < n. 
Let us notice that in the case m > n we can improve this algorithm in a simple 
way by using the notion of the transposed code which is defined as follows [10] 


Definition 3.2 (transposed code). The transposed of an [m x n, K] matrix code 
C over Fq is a\nx m, K] matrix code over F^ obtained by = {AT^, M € 
C}. 


The idea underlying the definition of such a code is that transposing a ma¬ 
trix preserves its rank, therefore finding the minimum rank weight (nonzero) 
codeword C can be obtained from the transpose of the minimum rank weight 
(nonzero) codeword of C^. Notice that taking the transpose basically swaps the 
role of n and m. This notion can be used when m > n for finding a codeword 
of weight w in a matrix code C by looking for a codeword of weight w in C^. It 
is readily seen that this leads to an 
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algorithm of complexity ) for finding a codeword of weight 

w. This is precisely the complexity that the algorithm of [21] would give for find¬ 
ing a codeword of weight w in a matrix code. However the algorithm presented 
here is much simpler than the algorithm of [21], 

4 A low weight codeword finding algorithm using 
additional knowledge on the codeword 

In this section, we assume that we have additional knowledge about the code¬ 
word of weight w we want to find in the form of linear combinations of its 
columns. More precisely we are looking for an algorithm whose input and out¬ 
put are specified in Algorithm 1. 


Algorithm 1: Low rank codeword finding with additional information 

Input 

(i) an [to X n, k.m] matrix code C over Fg that has at least one codeword 
^ = icij)i<i<m of rank weight w 

l<_7<n 

(ii) a elements c[,... ,c'g^ in F™ that are linear combinations of columns 
of c. 

(iii) the coefficients A^’s of these linear combinations, that is if we denote 
by c. j = {cij)i<i<m the j-th column of c, then c' = 

i e {l,...,a}. 

Assumes: c[,... ,c'^ are linearly independent. 

Output : a codeword of C of rank weight w. 


The case of a matrix code obtained from an Fgm-linear code is a particular 
case of such an additional knowledge: as explained before we can assume that 
one of the columns of the codeword we are looking for is the column (10 ... 0)^. 
The folding attack that we present in Section 5 will provide another example 
where we have the knowledge of two independent linear combinations of the 
columns and will use in an essential way the algorithm we give here. 

4.1 The case n> m 

We use here a variation of the support trapping algorithm [12]. The case when 
a = 1 and when the matrix code is obtained from an Fgm-linear code is already 
treated in [12, Prop. 3.1]. Generalizing this argument to the more general 
setting considered here just consists in chosing in the error trapping algorithm 
recalled in Section 3 an A as a random subspace of dimension r that contains 
the subspace generated by the a elements ,..., . This leads to the following 

proposition. 

Propositiou 4.1. The support trapping algorithm outlined above has expected 
complexity 0{{n — when applied on a matrix code over Fg of 

type [to X n, k.m]. 

The complexity given follows almost immediately from the following propo¬ 
sition. 
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Proposition 4.2. Let E be a subspace of dimension w o/F™ and let E' be a 
subspace of E of dimension a. Let S be the set of subspaces of dimension r of 
F™ that contain E' and let E be an element of S chosen uniformly at random. 
We have 

r — a 


Prob {E C F) = j 


w — a 


9 


= 0 . 


w — a 


9 


Proof Let V = F^/E' - F™-“. 

Let TT be the canonical surjection from F™ to V : 


TT : F™ V 

X I—>■ X + E' 


It is well known that tt gives a one-to-one correspondence between the subspaces 
of F™ which contain E' and the subspaces of V. 


Lemma 4.3. Let F be a subspace of dimension r o/F™ that contains E'. The 
dimension of 'k{F) is r — a. 

Proof. Let (ei,..., 6^) be a basis of E'. We can complete this basis into a basis 
{ei,...,ea,fi,...,fr-a) oi F. It is obvious that (7r(/i), ..., 7r(/^_„)) is a basis 
of 7r(F), so dim7r(F) = r — a □ 


By using this lemma, we finish the proof of Proposition 4.2. There are 

TTi — Qj 

subspaces of V of dimension w — a . This implies that there exist 


w — a 


m — a 
w — a 


-I 9 


subspaces of dimension w of F™ that contain E'. 


-I 9 


Let F be a subspace of dimension r of F™ that contains E'. According to 


the previous lemma, dim7r(F) = r — a. So tt{F) contains 


r — a 
w — a 


subspaces 


of dimension w — a. From this, we deduce that F contains 
of dimension w that contain E'. Hence 


r — a 


w — a 


9 


subspaces 


Prob {E C F) = Y 


r — a 
w — a 


m — a 
w — a 


±9 _ 0 ^^-(u;-o)(m-r)'' 


□ 


The proof of Proposition 4.1 follows directly from this Proposition. Indeed 
we choose in the support trapping algorithm, E' to be the linear space generated 
by c']^,..., and F as a random subspace of F™ that contains E'. The expected 
complexity of the support trapping algorithm is now given by the inverse of the 
probability that we computed in Proposition 4.1 multiplied by the complexity 
of solving a linear system with (n — k)m equations. 
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4.2 The case m > n 

This will be treated essentially by a variation on the error trapping algorithm 
applied to the transposed code which uses in a suitable way the additional 
knowledge about the codeword we want to find. The technical difficulty we face 
here can be described as follows. If we had additional knowledge about c in the 
form of a independent elements belonging to the row space of c, then we could 
immediately apply the algorithm given in Section 3 to the transposed code. 
However it turns out that in the case we are interested in, the knowledge about 
c that we have concerns the column space of c. In this case, when we transpose 
c to reverse the role of n and m, this translates into some knowledge of the 
row space of and we can not use the algorithm of Section 3 anymore. This 
is why we are going to consider a slightly more complicated algorithm which 
is able to use some knowledge on the column space of c. It will be essential 
for our attack that is given in Section 5 to work to have an efficient algorithm 
for finding low-rank codewords by exploiting some knowledge about the low- 
rank codeword we are looking for. Even if the underlying code is defined for 
TO < n it turns out that we are reducing this problem to another low-rank 
finding problem in a new code where m > n. Of course we could still use 
the algorithm described in Section 3. It appears that the Ourivski-Johansson 
[21] is better in the regime when n < m. However, this algorithm in its [21] 
form is unable to take full advantage of the knowledge we have about the low- 
weight codeword we are looking for. It would have been possible to give a 
version of the Ourivski-Johansson that exploits additional knowledge in the same 
way we generalized slightly the support trapping algorithm of [12]. However, 
the Ourivski-Johannson algorithm is rather involved and we will use another 
approach here that recovers the same work factor as the Ourivski-Johannsson 
algorithm in the case of decoding a -linear code but in a much simpler 
fashion. This new decoding algorithm is in essence a support trapping algorithm 
working on the transposed code. It will also be able to use in a simple way 
additional knowledge about the low rank word we are looking for. 

The point is now that by applying a version of the support trapping al¬ 
gorithm of [12] that makes use in a suitable way of the additional knowl¬ 
edge we have about the support, we basically recover an algorithm with the 
same complexity as the Ourivski-Johansson algorithm for decoding F^m linear 
codes. More generally it will have an exponential asymptotic complexity of or¬ 
der 0[{n — for an [to X n, k.m] matrix code over Fg when we 

know a independent linear combinations of the columns of the matrix codeword 
of rank w we are looking for. 

This algorithm can be described as follows 
Step 1 (transformation of the code): We first transform the matrix code C 
by multiplying it at the right by an n x n invertible matrix P such that c gets 
transformed in a matrix c' whose i first columns are precisely the c'’s defined 
before. In other words, we consider the code C = CP. If c is a word of rank 
weight w then c' is still a word of rank weight w. Moreover by assumption on 
the independence of the c'’s for i G {1,..., a} we can further multiply C on the 
left by an TO X TO invertible matrix Q such that c' gets transformed in a matrix 
c” whose first a columns are the first a elements ei,..., of the canonical basis 
of F™, that is has only zero entries with the exception of the i-th entry which 
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is equal to 1. Let C” be the resulting code obtained by these operations, that is 

C” = QCP 


Notice that c” has still rank w. 

Step 2: (setting up the unknowns of the linear system) We are now 

basically going to apply a variation of the support trapping algorithm of [12] 
on C” ^ by choosing a subspace V of of dimension r (r will be specified later 
on) for which we hope that it contains the subspace generated by the columns 
of c”^. A basis Vi,... ,Vr of this space is chosen such that 


II 

O 

>-s 

, j in {!,.. 

.., a} and i j 


(2) 

Vi^i = 1 for z 

in 

a} 


(3) 

Vj^i = 0 for z 

in {a -1- 1, 

and j in {1,.. 

. ,a} 

(4) 


where Vj^i denotes the j-th coordinate of Vi. The entries Vj^i are chosen uniformly 
at random for i in {a + 1,..., r} and j in {a + 1,..., n}. The entries of Vj^i 
for i in {1,..., a} and j in {a + 1,..., n} will be chosen afterwards. Denote by 
Cl,..., Cm the m columns of c”^. Let us introduce the Xs,t^s in F, that are 
such that 

r 

Cs = for s in m}. (5) 

Notice now the following point 

Lemma 4.4. For s > a and all i in {1,..., a} we have Xg^i = 0. If we denote 
by Cij the i ’th element of the j-th column Cj of c”^ then Cij = 0 for all i,j 
in {1,..., a} with the exception of the diagonal elements Ci^i that are equal to 

1. 

Proof. Denote by Ri,..., Rn the n rows of c”^. Notice that 

= Bi, for * in {1,..., a} (6) 

where the e^’s are as before the canonical basis of F™. This implies directly that 
Cij = 0 for all i, j in {1,..., a} with the exception of the diagonal elements Ci^i 
that are equal to 1. Moreover, by using (6) together with (2),(3) and (4) we 
know that Xg^i = 0 for s > a and all i in {1,..., a}. □ 

This motivates to define as unknowns the {m — a){r — a) + a{n — a) quantities 
Xg^t and Cij for s in {a + 1,..., m}, t in {a + 1,..., r}, z in {a + 1,..., n} and 
j in a}. 

Moreover these unknowns satisfy nm — km = (n — k)m linear equations 
obtained from the fact c”^ belongs to which is a matrix code of dimension 
km. They can be obtained by computing a parity-check matrix of this code, 
then expressing the linear equations that the entries of c”^ have to satisfy and 
then replacing these entries by the aforementioned unknowns by using (5) and 
Lemma 4.4. We choose r such that the number of equations, that is (n — k)m 
is at least equal to the number of unknowns, that is 

(n — k)m > (m — a){r — a) -I- a{n — a) 
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This can be obtained by choosing 

m m — n 

-(n — k) + a - 

m — a m — a 

Step 3: (solving the linear system) The last point just consists in solving 
the linear system, this yields c”^ and from this we deduce c” and then c by 

c=Q~^c”p-^ 



The last point to understand is under which condition V contains the sub¬ 
space generated by the columns of c”^. This depends on how we specify the 
entries Vj^i for i in {1,. .., a} and j in {a -|- 1,..., n}. We choose them such that 
(5) is verified for s in {1,... , a}. This can obviously be done by choosing 

Vi = Ci for i e a} (7) 


Lemma 4.5. Let V be chosen by a basis Vi, ... ,Vr such that its a first elements 
are given by (7) and as specified in Step 2 for the other elements. Let W be the 
subspace generated by the columns of . Let Wq be the subspace of W that 
is formed by the elements whose first a entries are all egual to 0. In the same 
way, we denote by Vq the subspace that is formed by the elements of V whose 
first a entries are all egual to 0. We have W GV iffWo C Vq. 

Proof. It is clear that W CV implies Wo C Vq. 

Now assume that Wq C Vq. Notice that W is generated by Wq and by the 
first a columns of c”, that is Ci,..., Ca- Since V is generated by the same first 
a columns of c”, Ci,..., Ca and by Vq we have that W C V. □ 


Putting all these considerations together we obtain that 


Theorem 4.6. Let C be an [m x n, k.m] matrix code which has at least one 
codeword of rank weight w for which we know a independent linear combina¬ 
tions of its columns as specified in Algorithm 1. Assume that n < m and let 

r ='^ Jffa — k) j • Then the algorithm given in this section outputs 

a codeword of weight w with complexity 0{{n — . 


Proof. This follows immediately from Lemma 4.5 and Proposition 4.2 that show 

n — a 


that we will try an expected number of 


r — a 


= 0 (g(«'-«)("-0) spaces V 


w — a 


L J q 

before finding the right one if there is only one codeword c which has the right 
form. This is of course an upper bound if there are more than one codeword that 
have the right form. Each try of a tentative space V takes time 0((n — k)^m^) 
whose complexity is dominated by Step 3 when we solve a linear system with 
(n — k)m equations and a number of unknowns that is less than the number of 
equations. □ 
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5 Folding and projecting attack 

In this section we present a key recovery attack on the LRPC cryptosystem [11], 
The codes used there are defined by 

Definition 5.1 (LRPC code). Let C be the matrix code associated to the F^m- 
linear code with a full rank parity check matrix H of size {n — k) x n. It defines 
an [n, k] LRPC of weight d if the Fq subspace of F^m generated by the entries 
of H is of dimension d. 

A probabilistic decoding algorithm of polynomial time for LRPC codes is 
presented in [11]. This algorithm uses in an essential way that such a code has 
a parity-check matrix H that has entries in a subspace of small dimension. H 
can be easily hidden by giving a systematic parity-check matrix Hsyst- This 
family of codes can then be used in a McEliece type scheme [19] : the secret key 
is H and the public key is ITsyst • To recover the secret key, the attacker must 
find a word of weight d in the dual of C, which is hard in principle. To decrease 
the key sizes, double-circulant LRPC codes are suggested in [11]. 

Definition 5.2. A double-circulant LRPC (DC-LRPC) code of weight d over 
Fqm is an LRPC eode defined from a double-circulant parity check matrix H = 
{Hi H 2 ) where Hi and H 2 are two circulant matrices and the Wq-subspace 
of¥qm generated by the entries of H is of dimension d. 


5.1 Folded and projected codes 

We present here two new ingredients of the attacks that follow, namely the 
notion of folded code and the notion of projected code. The first attack uses 
only folding but the second attack uses both. The notion of projected codes uses 
the polynomial framework for dealing with quasi-cyclic codes [16, 15]. Quasi- 
cyclic codes are a generalization of double-circulant codes : they are defined 
by a parity check matrix formed only from circulant blocks. Such a quasi- 
cyclic code of length N = in defined over a finite field K, where the size of the 
circulant blocks is n, can also be viewed as code over the ring ]K[X]/(A'" — 1). 
This is a specific instance of cellular codes that are codes defined over a ring 
TZ = K]^]/ {f{X)) where f{X) is a polynomial of KJA"]. 

For the reader’s convenience, we recall here the polynomial formalism of 
[18, 15] and follow the presentation given in [17]. Recall that the fact that 
quasi-cyclic codes can be viewed as codes defined over the ring K[Ar]/(/(a;)) 
follows directly from 

Proposition 5.3. The set of circulant matrices of size n x n over ¥qm is iso¬ 
morphic to the ¥qm-algebra ¥qm[X]l[X'^ — 1) by the function (f 


\ 

/ ao 

^n—1 

ai . 

ao 

^n—1\ 
Cln—2 


\ ai 

02 . 

ao J 


More generally we consider codes over a finite field K derived from codes 
defined over a ring 


n"^^K[x]/{f{x)) 
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where / is some polynomial in K[X] of degree n. They are derived from the 
following K-isomorphism ip : TZ K” : 


n—1 

a{X) = ^ a^X^ 1 -^ '0(«(^)) = (^ 0 , - ■ •, On-i). 

i^O 


They are called cellular codes and are defined by 

Definition 5.4 (cellular code). Consider a submodule M ofTlP of rank s. Let 
ip^ : TZ^ ^ that maps an element (/i,..., /;) ofTZ^ to K^" by mapping each 
fi to ip{fi). The cellular code associated to M is given by ip^[M). It is said to 
have index I and it is a 'K-linear code of length In. 

Remark 5.5. In order to avoid cumbersome notation, we identified M with 
ip^{M) in Section 5. Sometimes it will better to view the cellular code ip^{M) 
as M and we will freely do this. 

To obtain a generator matrix of the cellular code from a generator matrix 


Gm = 




\as,i{X) ... 


of the rank s-submodule we introduce the following mapping p : IZ ^ 


n—1 

a(X) = a^X^ ^ p{a{X)) 

i=0 


/ iPiaiX)) \ 

ifiXaiX)) 

V iP{X--^aiX)) 


It is a bijective morphism of K-algebras. When f{X) = X” — 1 this is pre¬ 
cisely the mapping that appears in Proposition 5.3. A generator matrix of the 
associated cellular code is now given by 


G = 


(Ai,i . 

^l,£ 

V^s.l 



where Aij = p{aij{X)). This implies that the dimension k of the cellular code 
satisfies k < ns. 


Definition 5.6 (projected code). Consider a cellular code C of index i defined 

over TZ ‘=^ K[Al]/(/(Al)) and let g{X) be a divisor of f{X) in IK[A1]. The pro¬ 
jected cellular code is obtained by viewing a codeword c of C as an element of 
: c = (ci,..., Cf) and applying the surjective morphism 11 from K[A']/(/(X)) 
to ]K[A']/(g(X)) defined by n(a(Al)) = a{X) (mod g{X)) to every entry Ci. 

In the particular case where f{X)= X"^ — 1 and g{X) = X™ — 1 where m 
is a divisor of n, projecting corresponds to folding in the sense of [7, 8]. 
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Definition 5.7 (folded code). Consider a quasi-cyclic code C of index i and 
length ni. Let m be a divisor of n. Its folded code of order m is a quasi- 
cyclic code of index i and length mi obtained by mapping each codeword c = 
(co,..., Cn£-i) of C to the codeword c' = (cq, ..., c'^g_^) where 


m “1 

^ ^ ^an+h+sm 
s=0 

and a and b are the quotient and the remainder of the euclidean division of i by 
m: 

i = am + b with a and b integer and b G {0,..., m — 1}. 

This really amounts to sum the coordinates that belong to the same orbit 
of a (permutation) autorphism of order n/m that leaves the quasi-cyclic code 
invariant. 

There are two points which make these two notions very interesting in the 
cryptographic setting. The first point is that these two reductions of the code 
do not lead to a trivial code at the end (one could have feared to end up with the 
full space after projecting or folding). This comes from the following proposition 
that is proved in [17, Corollary 1] 

Proposition 5.8. Consider a cellular code C of index i defined over TZ = 
]K[X]/(/(X)) and let g{X) he a divisor of f{X) in K[X]. The length of the 
projected code is i deg g whereas the dimension of is less than or equal to 
si where s is the rank of the cellular code. 

The second point is that this operation of folding behaves nicely with respect 
to projecting a quasi-cyclic code defined over an extension field F^m with respect 
to the rank distance over Fg when the divisor g belongs to Fq[X] 

Proposition 5.9 ([17, Prop.3[). Consider a cellular code C of index i defined 

over TZ ¥qm[X]/{f(X)) and let g{X) be a divisor of f{X) in¥q{X). Denote 
by n the associated projection operation. We have 

Rank(n(c)) < Rank(c) 

for any c € C where we view these codewords as matrices in or in 

jpmxfdegg matrix form of these codewords as defined in Section 2. 

Notice that this proposition can always be applied to folded codes. These 
two propositions allow to search for a codeword c of rank lu in a quasi-cyclic 
code C of index I and length ni defined over F^m by projecting it with respect 
to a divisor of X" — 1 that belongs to Fq[X] (or by folding it) and looking for a 
word of rank < re in the projected or folded code. Roughly speaking, the first 
proposition ensures that we are not looking for a word w in the entire space. 
From the second proposition, we expect that as long w is below the Gilbert- 
Varshamov bound of the folded code, the codeword of weight < w we will find 
in the projected code corresponds to the projection of c. This allows to recover 
easily c. 


c,- = 


13 


5.2 A first attack based on folding 

Let C be a DC-LRPC [2k, k] code of weight d over F,™ obtained from a parity- 
check matrix H. To recover H it is clearly sufficient to find a codeword of rank 
weight d in the dual of C. Let C be the folding of order 1 of C"*-. 

It is in general a [2,1] code. This folding reveals some additional information 
about the subspace F of F^m generated by the coefficients of H. We namely 
have 

Proposition 5.10. Let c' = (c^, c' 2 ) be in C. There exists c of weight d in 
such that the ¥q-subspace generated by the coordinates of c contains and c' 2 . 

Proof. If C is the all-zero code or c' = 0 the conclusion follows directly. 

Assume now that this is not the case. In this case, C is of dimension 1. 
Consider a codeword c of which is of weight d. Let c” be the folded version 
of c. We have in this case c' = ac” for some a € F*m. Note that d is the folded 
version of ac. We observe now two things and this finishes the proof 

• d = Rank(c) = Rank(ac) where we view these codewords as matrices in 
F^xn explained in Section 2. 

• c'l and C 2 are in the F^-subspace of F^m generated by the coordinates of 
ac. 

□ 

We can use in the decoding algorithm described in Section 4. From 

c we recover immediately a parity-check matrix of the form (3H, where P S 
Fgm\{0}, by building a parity-check matrix from c and its cyclic shifts. This 
gives an attack of complexity However for the parameters 

proposed in [11, 13], this does not improve the attacks already considered there. 
However, this proposition together with another projection of the code will lead 
to a feasible attack against a certain parameter of [11, 13] as we now show. 


5.3 An improved attack based on folding and projecting 


To improve the attack, we search for a word of weight d in a projected code. 
This new attack depends on the factorization of — 1. The length of the 
projected code we are interested in will be smaller than m and we will use the 
algorithm of Subsection 4.2 instead. The attack can be described as 
Step 1: Compute C the folding of order 1 of and extract a codeword (cj, C 2 ) 
in it. 


Step 2: Compute the projected code C-*- with respect to a certain divisor 
D{X) of - 1 in FJX]. 


-D 


Step 3: Find a codeword c” in C-*- of weight w such that the F^ space gener¬ 
ated by its coordinates contains c'l and C 2 by using the algorithm of Subsection 


4.2. 


Step 4: Let F be the F^-subspace of F^m generated by the coordinates of c”. 
Find the codeword c in of rank weight w whose support is F (meaning that 
the Fg-subspace generated by its coordinates should belong to F.) 

What justifies the third step is the fact that Proposition 5.10 generalizes 
easily to the projected code, whereas what justifies Step 4 is the fact that it is 
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extremely likely that c” is the projection of a codeword in of weight d we 
are looking for. We recover in this case such a codeword by the process of Step 
4. The complexity of this attack is dominated by the third step and is given by 
Theorem 4.6. 

In [11], some parameters for the LRPC cryptosystem are suggested. They 
are recalled in the following table 


n 

k 

m 

q 

d 

security 

74 

37 

41 

2 

4 

80 

94 

47 

47 

2 

5 

128 

68 

34 

23 

2^ 

4 

100 


In each case the factorization of — 1 in Fq[X] is given by 

(i) = 

(ii) X'^'^ — 1 = (X — 1)PQ with degP = degQ = 23 

(hi) - 1 = (X - l)2(Pi... Pg)^ with degP* = 2, for all i G |1; 8 ]. 

In the first case, the polynomial X^'^ — 1 has only two divisors, so we can only 
use the first attack. In the second case, we can choose D = P or Q to obtain a 
folded code of dimension 23. According to Theorem 4.6, the complexity of the 
attack is 0(23^47^2^^^^^) Ri 2 ®®-^, that is a gain around 2 ^^ compared to the 
best attack considered in [ 11 ] and about 2 ^° compared to the best attack found 
in [17, Subsec. 3.2]. 

The third case is the most interesting. Here we can freely choose the dimen¬ 
sion of the projected code. Keep in mind that we want the Gilbert-Varshamov 
bound greater than d which is the case when the dimension k" of the projected 
code is ^ 4. We choose K" = 4 and we have in this case an attack of complexity 
2 "‘ 3.6 clearly leads to a feasible attack. 

In [13], a new set of parameters is proposed, as follows : 


n 

k 

m 

q 

d 

security 

82 

41 

41 

2 

5 

80 

106 

53 

53 

2 

6 

128 

74 

37 

23 

2 ^ 

4 

100 


In each case the factorization of X^ — 1 in Fq[X] is given by 

(i) X'^^ — 1 = {X — VjPQ with degP = degQ = 20 

52 

(ii) - 1 = (X - i)^x* 

i=0 

(iii) X^'^ — 1 = (X — l)Pi ... P 4 with degPi = 9, for all i G |1; 4]. 

The first case allow a non-trivial projection but it is not sufficient to obtain 
a better complexity than 80. In the second case, we can only use the folding 
attack, and its complexity is greater than 128. 

In the third case, we can choose a projected code of dimension 9 and we 
have an attack of complexity 2 ®^’^, that is a gain around 2 ^®. 

As we can see, it is crucial to choose k such that X^ — 1 has the minimum 

k-l 

of factors in Fg[X], it can always be factorisable in (X — 1)(^^ X*) so one have 

i=0 
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fc -1 

to choose X* irreducible in F^. This implies k prime but it is not sufficient, 

i=0 

as the third case of the parameters proposed in [13] proves it. 
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